[Freeipa-users] KPasswd TCP issues

Wed Feb 20 08:32:57 UTC 2013

On 19.2.2013 23:29, ninibaba at worldd.org wrote:
>  >
>  >
>  >
>  >> On Tue, Feb 19, 2013 at 10:49:42AM -0700, ninibaba at worldd.org
>  > wrote:
>  >
>  >>> I used IPA from the CentOS 6 repositories and I am having an
>  > issue I
>  >
>  >>> can't seem to solve. ?I installed a server and a client with
>  > no
>  >
>  >>> issues, but upon Nessus scans of the server, port 464 kpasswd UDP
>  > was
>  >
>  >>> flagged for a ping-pong DoS attack. ?With this information I
>  > noticed
>  >
>  >>> kpasswd also listens on TCP 464 which I understand was used
>  > for
>  >
>  >>> over-sized
>  >
>  >>> requests and other errors. ?I attempted to IPTABLES block UDP
>  > for
>  >
>  >>> kerberos which resulted in kpasswd no longer functioning from
>  > the
>  >
>  >>> client.
>  >
>  >>> ?Kerberos authentication defaults to TCP without issue, but no
>  > matter
>  >
>  >>> what i cannot get the client to use TCP for kpasswd. ?Is there a
>  > way
>  >
>  >>> to force kpasswd on the client to use TCP (i was under the
>  > understanding
>  >
>  >>> that if UDP failed TCP would be attempted). ?I am running the
>  > latest
>  >
>  >>> from the CentOS 6 repo's on both server and client. ?Thank
>  > you!
>  >
>  >>
>  >
>  >> I just did a spot-check with udp port 464 set to REJECT on my
>  > server,
>  >
>  >> with krb5-libs-1.9-33.el6_3.3. It looks like the client is getting
>  > an
>  >
>  >> ECONNREFUSED after trying to use the UDP port, and then correctly
>  >
>  >> falling back and opening a TCP connection.
>  >
>  >>
>  >
>  >> Do you have more information about what exactly happens when it
>  > fails?
>  >
>  >> What does 'kpasswd' log when it's run with KRB5_TRACE set to
>  > /dev/stderr
>  >
>  >> in its environment? Is anything logged to /var/log/kadmind.log on
>  > the
>  >
>  >> server when you run 'kpasswd' on the client? Can you try it while
>  > using
>  >
>  >> 'tcpdump -s0 -w cap -i any "port 464"' to capture traffic
>  > that's passed
>  >
>  >> between the two?
>  >
>  >>
>  >
>  >> Nalin
>  >
>  >>
>  > �
>  > /FACEPALM
>  > So problem solved, I allowed all
>  > the necessary ports via IPTABLES, but left the default REJECT rule in that
>  > comes by default to handle blocking the UDP port for kpasswd. �The
>  > default Reject rule in this case still answers with prohibited instead of
>  > just a normal REJECT set for unreachable. �Problem solved.
>  > �Thanks for pointing me somewhere =)
>  >
> Actually i'd like to take that back now, it works fine when running kpasswd,
> but if user password is expired when SSH to client, during the reset it only
> tried UDP same if issuing passwd command as well.

I would recommend to completely remove SRV records for kpasswd over UDP (in 
case you blocked kpasswd over UDP for all clients).

# ipa dnsrecord-del example.com _kpasswd._udp

This should prevent clients from even trying UDP.

Don't forget to DNS amplification attacks if you are paranoid :-)

-- 
Petr^2 Spacek